PLEASE NOTE: I HAVE PERMANENTLY MOVED MY BLOG TO http://www.rationalsurvivability.com/blog

June 03, 2008

You can't go a day without reading from the peanut gallery that it is
"...inevitable that network security will eventually be subsumed into
the network fabric." I'm not picking on Rothman specifically, but he's been banging this drum loudly of late.

For such a far-reaching, profound and prophetic statement, claims like these are strangely myopic and inaccurate..and then they're exactly right.

Confused?

Firstly, it's sort of silly and obvious to trumpet that "network security" will end up in the "network." Duh. What's really meant is that "information security" will end up in the network, but that's sort of goofy, too. You'll even hear that "host-based security" will end up in the network...so let's just say that what's being angled at here is that security will end up in the network.

These statements are often framed within a temporal bracket
that simply ignores the bigger picture and reads like a eulogy. The reality is that historically
we have come to accept that security and technology are
cyclic and yet we continue to witness these terminal predictions defining an end state for security that has never arrived and never will.

Let me make plain my point: there is no final resting place for where and how security will "end up."

I'm visual, so let's reference a very basic representation of my point. This graph represents the cyclic transition over time of where and how
we invest in security.

We ultimately transition between host-based security,
information-centric security and network security over time.

We do this little
shuffle based upon the effectiveness and maturity of technology,
economics, cultural, societal and regulatory issues and the effects of disruptive innovation. In reality, this
isn't a smooth sine wave at all, it's actually more a classic dampened
oscillation ala the punctuated equilibrium theory I've spoken about
before, but it's easier to visualize this way.

Our investment strategy and where security is seen as being "positioned" reverses direction over time and continues ad infinitum. This has proven itself time and time again yet we continue to be wowed by the prophetic utterances of people who on the one hand talk about these never-ending cycles and yet on the other pretend they don't exist by claiming the "death" of one approach over another.

Why?

To answer that let's take a look at how the cyclic pendulum effect of our focus on
security trends from the host to the information to the network and
back again by analyzing the graph above.

If we take a look at the arbitrary "starting" point indicated by the "You Are Here" dot on the sine wave above, I suggest that over the last 2-3 years or so we've actually headed away from the network as the source of all things security.

There are lots of reasons for this; economic, ideological, technological, regulatory and cultural. If you want to learn more about this, check out my posts on how disruptive Innovation fuels strategic transience.

In short, the network has not been able to (and never will) deliver the efficacy, capabilities or
cost-effectiveness desired to secure us from evil, so instead we look at
actually securing the information itself. The security industry messaging of late is certainly bearing testimony to that fact. Check out this year's RSA conference...

As we focus then on information centricity, we see the resurgence of ERM, governance and compliance come into focus. As policies proliferate, we realize that this is really hard and we don't have effective and ubiquitous data
classification, policy affinity and heterogeneous enforcement capabilities. We shake our heads at the ineffectiveness of the technology we have and hear the cries of pundits everywhere that we need to focus on the things that really matter...

In order to ensure that we effectively classify data at the point of creation, we recognize that we can't do this automagically and we don't have standardized schemas or metadata across structured and unstructured data, so we'll look at each other, scratch our heads and conclude that the applications and operating systems need modification to force fit policy, classification and enforcement.

Rot roh.

Now that we have the concept of policies and classification, we need the teeth to ensure it, so we start to overlay emerging technology solutions on the host in applications and via the OS's that are unfortunately non-transparent and affect the users and their ability to get their work done. This becomes labeled as a speed bump and we grapple with how to make this less impacting on the business since security has now slowed things down and we still have breaches because users have found creative ways of bypassing technology constraints in the name of agility and efficiency...

At this point, the network catches up in its ability to process closer to "line
speed," and some of the data classification functionality from the host commoditizes into the "network" -- which by then is as much in the form of appliances as it is routers and switches -- and always
will be. So as we round this upturn focusing again on being "information centric," with the help of technology, we seek to use our network investment to offset impact on our users.

Ultimately, we get the latest round of "next generation" network solutions which promise to deliver us from our woes, but as we "pass go and collect $200" we realize we're really at the same point we were at point #1.

'Round and 'round we go.

So, there's no end state. It's a continuum. The budget and operational elements of who "owns" security and where it's implemented simply follow the same curve. Throw in disruptive innovation such as virtualization, and the entire concept of the "host" and the "network" morphs and we simply realize that it's a shift in period on the same graph.

So all this pontification that it is "...inevitable that network security will eventually be subsumed into
the network fabric" is only as accurate as what phase of the graph you reckon you're on. Depending upon how many periods you've experienced, it's easy to see how some who have not seen these changes come and go could be fooled into not being able to see the forest for the trees.

Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively. From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...

SanDisk is bringing to market a set of high-capacity USB flash drives that feature built-in filesystem encryption as well as strong authentication and access control. If the device gets lost with the data on it, it's "safe and secure" because it's encrypted. They are positioning this as an "endpoint security" solution.

I'm not going to debate the merits/downsides of that approach because I haven't seen their pitch, but suffice it to say, I think it's missing a "couple" of pieces to solve anything other than a very specific set of business problems.

Larry's dilemma stems from the fact that he maintains that this capability and functionality is really about data loss protection and doesn't have much to do with "endpoint security" at all:

We debated that in my office for a few minutes. From my perspective, this solution seems more like a data loss prevention solution than endpoint security. Admittedly, there are many flavors of endpoint security. When I think of endpoint security, I think of network access control (NAC), configuration management, vulnerability management and security policy enforcement. While this solution is designed for the endpoint client, it doesn't do any of the above tasks. Rather, it forces users to use one type of portable media and transparently applies security protection to the data. To me, that's DLP.

In today's market taxonomy, I would agree with Larry. However, what Larry is struggling with is not really the current state of DLP versus "endpoint security," but rather the future state of converged information-centric governance. He's describing the problem that will drive the solution as well as the inevitable market consolidation to follow.

This is actually the whole reason Mogull and I are talking about the evolution of DLP as it exists today to a converged solution we call CMMP -- Content Management, Monitoring and Protection. {Yes, I just added another M for Management in there...}

What CMMP represents is the evolved and converged end-state technology integration of solutions that today provide a point solution but "tomorrow" will be combined/converged into a larger suite of services.

Off the cuff, I'd expect that we will see at a minimum the following technologies being integrated to deliver CMMP as a pervasive function across the information lifecycle and across platforms in flight/motion and at rest:

Data leakage/loss protection (DLP)

Identity and access management (IAM)

Network Admission/Access Control (NAC)

Digital rights/Enterprise rights management (DRM/ERM)

Seamless encryption based upon "communities of interest"

Information classification and profiling

Metadata

Deep Packet Inspection (DPI)

Vulnerability Management

Configuration Management

Database Activity Monitoring (DAM)

Application and Database Monitoring and Protection (ADMP)

etc...

That's not to say they'll all end up as a single software install or network appliance, but rather a consolidated family of solutions from a few top-tier vendors who have coverage across the application, host and network space.

If you were to look at any enterprise today struggling with this problem, they likely have or are planning to have most of the point solutions above anyway. The difficulty is that they're all from different vendors. In the future, we'll see larger suites from fewer vendors providing a more cohesive solution.

This really gives us the "cross domain information protection" that Rich talks about.

We may never achieve the end-state described above in its entirety, but it's safe to say that the more we focus on the "endpoint" rather than the "information on the endpoint," the bigger the problem we will have.

March 10, 2008

Since Mogull and I collaborate quite a bit on projects and share many thoughts and beliefs, I wanted to make a couple of comments on his last post on Information Centricity and remind the audience at home of a couple of really important points.

Rich's post was short and sweet regarding the need for Information-Centric solutions with some profound yet subtle guideposts:

For information-centric security to become a reality, in the long term it needs to follow the following principles:

Information (data) must be self describing and defending.

Policies and controls must account for business context.

Information must be protected as it moves from structured to
unstructured, in and out of applications, and changing business context.

Policies must work consistently through the different defensive layers and technologies we implement.

I’m not convinced this is a complete list, but I’m trying to keep to
my new philosophy of shorter and simpler. A key point that might not be
obvious is that while we have self-defending data solutions, like DRM
and label security, for success they must grow to account for business
context. That’s when static data becomes usable information.

Mike Rothman gave an interesting review of Rich's post:

The Mogull just laid out your work for the next 10 years. You just
probably don't know it yet. Yes, it's all about ensuring that the
fundamental elements of your data are protected, however and wherever
they are used. Rich has broken it up into 4 thoughts. The first one
made my head explode: "Information (data) must be self-describing and
defending."

Now I have to clean up the mess. Sure things like DRM are a
bad start, and have tarnished how we think about information-centric
security, but you do have to start somewhere. The reality is this is a
really long term vision of a problem where I'm not sure how you get
from Point A to Point B. We all talk about the lack of innovation in
security. And how the market just isn't exciting anymore. What Rich
lays out here is exciting. It's also a really really really big
problem. If you want a view of what the next big security company does,
it's those 4 things. And believe me, if I knew how to do it, I'd be
doing it - not talking about the need to do it.

For reference, here are the Jericho Forum's Ten Commandments. Please see #9:

As mike alluded, DRM/ERM has received a bad rap because of how it's implemented -- which has really left a sour taste in the mouths of the consumer consciousness. As a business tool, it is the precursor of information centric policy and will become the lynchpin in how we will ultimately gain a foothold on solving the information resiliency/assurance/survivability problem.

As to the innovation and dialog that Mike suggests is lacking in this space, I'd suggest he's suffering from a bit of Shitake-ism (a-la mushroom-itis.) The next generation of DLP solutions that are becoming CMP (Content Monitoring and Protection -- a term I coined) are evolving to deal with just this very thing. It's happening. Now.

Further to that, I have been briefed by some very, very interesting companies that are in stealth mode who are looking to shake this space up as we speak.

So, prepare for Information Survivability, increased Information Resilience and assurance. Coming to a solution near you...

October 03, 2007

As a follow-up to my blog entry here regarding Amazon.com and MP3 Watermarking...

Alex Halderman over at the Freedom To Tinker blog yesterday posted an entry that seems to confirm the theory that Amazon.com is not individually tagging each MP3 file purchased and that any file downloaded with the same title is identical to that downloaded by another user:

Last week Amazon.com launched a DRM-free music store.
It sells tracks from two major labels and many independents in the
unprotected MP3 file format. In addition to being DRM-free, Amazon’s
songs are not individually watermarked. This is an important step
forward for the music industry.

Some content companies see individualized watermarks as a
consumer-friendly alternative to DRM. Instead of locking down files
with restrictive technology, individualized watermarking places
information in them that identifies the purchasers, who could
conceivably face legal action if the files were publicly shared. Apple
individually watermarks DRM-free tracks sold on iTunes, but every
customer who purchases a particular track from Amazon receives the
exact same file.

The company has stated as much, and colleagues and I
confirmed this by buying a small number of files with different Amazon
accounts and verifying that they were bit-for-bit identical. (As Wired reports,
some files on Amazon’s store have been watermarked by the record
labels, but each copy sold contains the same mark. The labels could use
these marks to determine that a pirated track originated from Amazon,
but they can’t trace a file to a particular user.)

This is good news and I thank Alex and his friends for doing the dirty work and actually confirming these statements instead of just parroting them back and taking Amazon's word for it. The rest of Alex's blog entry provides good insight as to the risks -- legal, security and otherwise -- that swirl around the contentious topic of DRM. Please read the article in its entirety.

September 26, 2007

About a month ago, I posted about a CNET article by Matt Rosoff which suggested that digital watermarking would replace DRM. My suggestion was that it was pretty obvious that watermarking won't "replace" DRM, it is merely another accepted application of it.

Interestingly, the author (Adam Frucci) shows an image featuring the audio substrates of the original recording, the watermarked encoding and the resultant subtracted watermarked artifacts:

Amazon.com's
new MP3 store watermarks its MP3s, but only with information stating
where the songs were purchased, not who did the purchasing, according
to the online uberstore.

That's the good news. The bad news is that
this issue has inspired me to ramble about the stupidity of the whole
idea of watermarking tracks with identifying info.

I mean, what would be the point? Most music that gets widely pirated
comes from scene groups that do rips from CDs, not from people who
legally purchase music online. It's the same thing I never understood
about DRM: it only takes one copy getting ripped or spread around for
something to be easily accessed in the pirate-o-sphere, so why waste so
much time keeping normal people from sharing? I mean, even if they did
find some Kanye song in a girl's shared Soulseek folder and it was ID'd
with some dude's name, what does that prove? Not much. In any case,
Amazon doesn't look to be doing anything of the sort, so bravo to that,
and another kudos to them for selling only straight-up MP3s. Now just
get all the labels on board and we'll have the music store we've all be
clamoring for for so long.

I agree with the author that should we assume that the watermark just describes where the song is purchased, it does little good other than the concept that was raised in the previous article I referenced above in terms of what Universal plans to use watermarking for:

Universal can then use this data to
help decide whether the risk of piracy outweighs the increased sales
from DRM-free MP3 files, segmenting this decision by particular
markets. For example, it might find that new Top 40 singles are more
likely to find their way onto file-trading networks than classic rock
from the 1970s.

But that's really not the reason for this post. The reason for this post is the bold-faced, underlined text in the fourth paragraph above "according
to the online uberstore." The author is simply going on Amazon's word that the artifacts only contain purchase origin data and nothing regarding the purchaser?

I find it odd that he's not particularly concerned with validating Amazon's claims and is willing to take them on face value that this is all the watermarks contain in order to support such a lofty title for the article.

August 24, 2007

OK, so way back in April, on the cusp of one of my normal rages against the (security) machine, I blogged how Data Leakage Protection (DLP) is doomed to be a feature and not a market.

I said the same thing about NAC, too. Makin' friends and influencin' people. That's me!

Oh my how the emails flew from the VP's of Marketing & Sales from the various "Flying V's" (see below) Good times, good times.

Here's snippets of what I said:

Besides having the single largest collection of vendors that begin with
the letter 'V" in one segment of the security space (Vontu, Vericept,
Verdasys, Vormetric...what the hell!?) it's interesting to see how
quickly content monitoring and protection functionality is approaching
the inflection point of market versus feature definition.

The "evolution" of the security market marches on.

Known by many names, what I describe as content monitoring and
protection (CMP) is also known as extrusion prevention, data leakage or
intellectual property management toolsets. I think for most, the
anchor concept of digital rights management (DRM) within the Enterprise
becomes glue that makes CMP attractive and compelling; knowing what and
where your data is and how its distribution needs to be controlled is
critical.

The difficulty with this technology is the just like any other
feature, it needs a delivery mechanism. Usually this means yet another
appliance; one that's positioned either as close to the data as
possible or right back at the perimeter in order to profile and control
data based upon policy before it leaves the "inside" and goes "outside."

I made the point previously that I see this capability becoming a
feature in a greater amalgam of functionality; I see it becoming table
stakes included in application delivery controllers, FW/IDP systems and
the inevitable smoosh of WAF/XML/Database security gateways (which I
think will also further combine with ADC's.)

I see CMP becoming part of UTM suites. Soon.

That being said, the deeper we go to inspect content in order to
make decisions in context, the more demanding the requirements for the
applications and "appliances" that perform this functionality become.
Making line speed decisions on content, in context, is going to be
difficult to solve.

CMP vendors are making a push seeing this writing on the wall, but
it's sort of like IPS or FW or URL Filtering...it's going to smoosh.

I didn't even bother to go into the difficulty and differences in classifying, administering, controlling and auditing structured versus unstructured data, nor did I highlight the differences between those solutions on the market who seek to protect and manage information from leaking "out" (the classic perimeter model) versus management of all content ubiquitously regardless of source or destination. Oh, then there's the whole encryption in motion, flight and rest thing...and metadata, can't forget that...

Yet I digress...let's get back to industry dynamics. It seems that Uncle Art is bound and determined to make good on his statement that in three years there will be no stand-alone security companies left. At this rate, he's going to buy them all himself!

As we no doubt already know, EMC acquired Tablus. Forrester seems to think this is the beginning of the end of DLP as we know it. I'm not sure I'd attach *that* much gloom and doom to this specific singular transaction, but it certainly makes my point:

EMC expects Tablus to play a key role in
its information-centric security and storage lineup. Tablus' balanced
information leak prevention (ILP) offering will benefit both sides of
the EMC/RSA house, boosting the latter's run at the title of
information and risk market leader. Tablus' data classification
capabilities will broaden EMC's Infoscape beyond understanding
unstructured data at rest; its structured approach to data detection
and protection will provide a data-centric framework that will benefit
RSA's security offerings like encryption and key management. While
holding a lot of potential, this latest acquisition by one of the
industry's heavyweights will require comprehensive integration efforts
at both the technology and strategic level. It will also increase the
pressure on other large security and systems management vendors to
address their organization's information risk management pain points.
More importantly, it will be remembered as the turning point that led
to the demise of the standalone ILP market as we know it today.

So Mogull will probably (still) disagree, as will the VP's of Marketing/Sales working for the Flying-V's who will no doubt barrage me with email again, but it's inevitable. Besides, when an analyst firm agrees with you, you can't be wrong, right Rich!?

August 17, 2007

I sat staring at at my screen today with a squinty look in my eyes and a soured puss as my wife asked me why I looked so funny. "Meh!" I replied tersely.

The real answer was that I was pondering a question asked by the title of a topical piece penned by CNET's Matt Rosof which begged: "Watermarking to Replace DRM?"

I think the reason I looked so perturbed is that it was an overtly stupid innocent question given that it's pretty obvious that watermarking won't "replace" DRM, it is merely another accepted application of it.

It doesn't take much to remember that the 'M' in 'DRM' stands for management. Tracking how files move around is part of the M. Why is this any different? The point of monitoring anything is either to: (a) gather intelligence which can be used to (b) implement a control or effect a disposition based upon said intelligence.

It's interesting that in many cases we risk giving up our 'R' but that's a topic for a different post.

So here's the premise of watermarking -- something I think most of us understand:

So what's watermarking? It's the insertion of extra data into an audio
stream that can help identify where that audio came from. It's not
enough to attach data to a digital audio file--users can just burn that
file to a CD and then re-rip it, changing the file format and stripping
off all the data associated with the original file. (This is also the
classic way users get around DRM.) Instead, the data is inserted into
the audio track itself. It's inaudible to human ears, but detectible by
various other tools.

What I found interesting from a security and technology perspective was the following:

In the case of Universal, the watermarking data won't identify each individual file--a
method that would allow the company to trace pirated files back to
their first purchaser. Instead, it will only identify the particular
song. Eventually, Universal will look at popular file-trading networks,
and see which of the DRM-free songs released through its experimental
program ended up on these networks.

Firstly, I don't believe the first sentence. Sorry, I'm a skeptic. Secondly, this technology and its application isn't new at all. I have it on very, very good authority that existing technology has been used in this exact manner for the last several years by the RIAA in order to track and monitor P2P file swapping which includes audio. It's used by government and military operators, also.

How do you think those subpoenas get issued specifically against those 12 year old girls swapping Shakira MP3's? They can definitively link a specifically watermarked MP3 with the IP address of the downloader after it's injected into the network and consumed...by using watermarking.

(Ed: Comments below by Jordan suggest that this practice is not used heavily. I cannot dispute this assertion, but I maintain that the technology has been used in this manner. See the comments for an interesting perspective.)

It's the same technology used by DLP and DRM solutions in the enterprise today. So, watermarking is just another means to the end. Period.

This is the funny part of the story:

Universal can then use this data to
help decide whether the risk of piracy outweighs the increased sales
from DRM-free MP3 files, segmenting this decision by particular
markets. For example, it might find that new Top 40 singles are more
likely to find their way onto file-trading networks than classic rock
from the 1970s.